rubino-agent 0.3.0

data/lib/rubino/memory/threat_scanner.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module Rubino
+  module Memory
+    # Scans content destined for the memories table for adversarial patterns.
+    #
+    # Memory is a long-lived, cross-session channel that gets *spliced into
+    # every future system prompt*, so a single tainted write can persistently
+    # bias the agent across runs. We inspect every write at the boundary and
+    # refuse anything that smells like a known injection / exfiltration
+    # vector. We deliberately err on the side of false-positives — the agent
+    # can rephrase, but a planted directive in memory has no antidote.
+    #
+    # `.scan(content)` returns nil when safe, otherwise a short string
+    # describing the threat (used as both error_code label and audit log
+    # payload).
+    class ThreatScanner
+      # Prompt-injection markers. These are the cliches that show up in
+      # documented jailbreak attempts; any one match is enough to refuse —
+      # legitimate user-profile content has no reason to embed them.
+      PROMPT_INJECTION_PATTERNS = [
+        /ignore (?:all |the )?previous/i,
+        /disregard (?:all |the )?(?:above|previous)/i,
+        /you are now/i,
+        /new instructions:/i,
+        /^\s*system\s*:/i,
+        /^\s*assistant\s*:/i,
+        /<\|im_start\|>/i,
+        /<\|im_end\|>/i,
+        /\[INST\]/i
+      ].freeze
+
+      # Credentials embedded in a URL — classic data-exfil channel
+      # (scheme://user:pass@host).
+      URL_CREDENTIAL_PATTERN = %r{\b[a-z][a-z0-9+\-.]*://[^/\s:@]+:[^/\s@]+@}i
+
+      # Contiguous base64 of 200+ chars. Reasonable prose never has this;
+      # encoded payloads (binaries, encrypted blobs) do.
+      BASE64_BLOB_PATTERN = %r{[A-Za-z0-9+/]{200,}={0,2}}
+
+      # curl/wget piped to a shell — remote code execution recipe.
+      PIPE_TO_SHELL_PATTERN = /\b(?:curl|wget)\b[^\n]*\|\s*(?:sudo\s+)?(?:bash|sh|zsh)\b/i
+
+      # Zero-width characters and BIDI override / isolate codepoints. Used
+      # to hide instructions or swap visible text direction — see the
+      # "Trojan Source" class of attacks (CVE-2021-42574).
+      INVISIBLE_UNICODE_PATTERN = /[​‌‍‮⁦-⁩]/
+
+      class << self
+        # Returns nil when the content is safe, otherwise a short string
+        # naming the detected threat class (e.g. "prompt_injection").
+        def scan(content)
+          return nil if content.nil? || content.empty?
+
+          text = content.to_s
+
+          return "prompt_injection" if PROMPT_INJECTION_PATTERNS.any? { |p| text.match?(p) }
+          return "exfiltration_url_credentials" if text.match?(URL_CREDENTIAL_PATTERN)
+          return "exfiltration_pipe_to_shell" if text.match?(PIPE_TO_SHELL_PATTERN)
+          return "exfiltration_base64_blob" if text.match?(BASE64_BLOB_PATTERN)
+          return "invisible_unicode" if text.match?(INVISIBLE_UNICODE_PATTERN)
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/rubino/metrics.rb

@@ -0,0 +1,175 @@
+# frozen_string_literal: true
+
+module Rubino
+  # In-process Prometheus-style metrics registry.
+  #
+  # Counters and histograms only — no gauges (process state is queried lazily
+  # by the /v1/health operation). The registry is a process-wide singleton;
+  # tests can call Metrics.reset! between examples to start clean.
+  #
+  #   Metrics.counter(:http_requests_total, method: "GET", status: 200).increment
+  #   Metrics.histogram(:http_request_duration_seconds, path: "/v1/runs").observe(0.034)
+  #
+  # Output is the Prometheus text exposition format (see Renderer), served by
+  # API::Operations::MetricsOperation.
+  module Metrics
+    # Default histogram bucket boundaries (seconds). Tuned for sub-second HTTP
+    # request latencies — fine granularity below 100ms, coarser past 1s.
+    DEFAULT_BUCKETS = [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10].freeze
+
+    # Monotonic counter keyed by label set. Thread-safe via internal mutex.
+    class Counter
+      attr_reader :name, :help
+
+      def initialize(name, help)
+        @name = name
+        @help = help
+        @values = Hash.new(0)
+        @mutex = Mutex.new
+      end
+
+      # Add `by` to the counter for the given label set (default 1).
+      def increment(by: 1, **labels)
+        @mutex.synchronize { @values[labels] += by }
+      end
+
+      def each(&)
+        @mutex.synchronize { @values.dup }.each(&)
+      end
+
+      def type = :counter
+    end
+
+    # Bucketed distribution keyed by label set. Buckets are CUMULATIVE per
+    # Prometheus convention: each observation increments every bucket whose
+    # `le >= value`, plus the implicit `+Inf` bucket. Thread-safe.
+    class Histogram
+      attr_reader :name, :help, :buckets
+
+      def initialize(name, help, buckets: DEFAULT_BUCKETS)
+        @name = name
+        @help = help
+        @buckets = buckets
+        @observations = Hash.new { |h, k| h[k] = { counts: Hash.new(0), sum: 0.0, count: 0 } }
+        @mutex = Mutex.new
+      end
+
+      # Record one observation. Increments every bucket with `le >= value`,
+      # the `+Inf` bucket, the `_sum`, and the `_count`.
+      def observe(value, **labels)
+        @mutex.synchronize do
+          obs = @observations[labels]
+          @buckets.each { |b| obs[:counts][b] += 1 if value <= b }
+          obs[:counts]["+Inf"] += 1
+          obs[:sum] += value
+          obs[:count] += 1
+        end
+      end
+
+      def each(&)
+        @mutex.synchronize { @observations.dup }.each(&)
+      end
+
+      def type = :histogram
+    end
+
+    class << self
+      # Fetch (or lazily create) the named Counter and bind `labels` for use via Proxy.
+      def counter(name, **labels)
+        registry[name] ||= Counter.new(name, descriptions.fetch(name, name.to_s))
+        Proxy.new(registry[name], labels)
+      end
+
+      # Fetch (or lazily create) the named Histogram and bind `labels` for use via Proxy.
+      def histogram(name, **labels)
+        registry[name] ||= Histogram.new(name, descriptions.fetch(name, name.to_s))
+        Proxy.new(registry[name], labels)
+      end
+
+      # Set the HELP text for `name`; applied when the metric is first created.
+      def describe(name, help)
+        descriptions[name] = help
+      end
+
+      # Yield each registered metric (Counter or Histogram).
+      def each(&) = registry.each_value(&)
+
+      # Drop all registered metrics. Intended for tests.
+      def reset!
+        @registry = nil
+      end
+
+      # Serialize the full registry to Prometheus text exposition format.
+      def render
+        Renderer.call(registry.values)
+      end
+
+      private
+
+      def registry
+        @registry ||= {}
+      end
+
+      def descriptions
+        @descriptions ||= {}
+      end
+    end
+
+    # Thin wrapper binding a metric to a pre-built label set so call sites
+    # read cleanly:
+    #   Metrics.counter(:foo, label: "x").increment
+    class Proxy
+      def initialize(metric, labels)
+        @metric = metric
+        @labels = labels
+      end
+
+      def increment(by: 1)
+        @metric.increment(by: by, **@labels)
+      end
+
+      def observe(value)
+        @metric.observe(value, **@labels)
+      end
+    end
+
+    # Serializes metrics to Prometheus text exposition format:
+    #   # HELP name help text
+    #   # TYPE name counter|histogram
+    #   name{label="value",...} value
+    # Label values are escaped for `"`, `\`, and newline.
+    module Renderer
+      def self.call(metrics)
+        metrics.flat_map { |m| render_metric(m) }.join("\n") + "\n"
+      end
+
+      def self.render_metric(metric)
+        lines = ["# HELP #{metric.name} #{metric.help}", "# TYPE #{metric.name} #{metric.type}"]
+        case metric.type
+        when :counter
+          metric.each { |labels, value| lines << "#{metric.name}#{format_labels(labels)} #{value}" }
+        when :histogram
+          metric.each do |labels, data|
+            data[:counts].each do |bucket, count|
+              lines << "#{metric.name}_bucket#{format_labels(labels.merge(le: bucket.to_s))} #{count}"
+            end
+            lines << "#{metric.name}_sum#{format_labels(labels)} #{data[:sum]}"
+            lines << "#{metric.name}_count#{format_labels(labels)} #{data[:count]}"
+          end
+        end
+        lines
+      end
+
+      def self.format_labels(labels)
+        return "" if labels.empty?
+
+        pairs = labels.map { |k, v| %(#{k}="#{escape(v)}") }.join(",")
+        "{#{pairs}}"
+      end
+
+      def self.escape(value)
+        value.to_s.gsub("\\", "\\\\").gsub('"', '\\"').gsub("\n", '\n')
+      end
+    end
+  end
+end

data/lib/rubino/modes.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+module Rubino
+  # In-process switch that gates two orthogonal concerns from a single name:
+  #
+  #   :default — tutti i tool registrati, approval rules from config
+  #   :plan    — solo tool read-only (read/grep/glob/web/todo/question)
+  #   :yolo    — tutti i tool, ApprovalPolicy bypassata (sempre :allow)
+  #
+  # Lives at the process level intentionally — alpha rule: no premature
+  # persistence. A new `rubino chat` boots in :default; an explicit
+  # `/mode yolo` or `Modes.set(:yolo)` from the API caller takes effect
+  # for the rest of that process. We can move it onto Session later if
+  # users actually want it sticky.
+  #
+  # Boot pinning (#3): the process forgets the active mode on restart, which
+  # surprises callers when an external supervisor re-applies config and bounces
+  # the process out from under an already-set mode. Rather than introduce
+  # on-disk state, the initial mode is read once from the RUBINO_BOOT_MODE env
+  # var: an unattended supervisor can pin it in the process environment so a
+  # restart comes back up in the same mode it was configured for. Unset (the
+  # normal interactive case) keeps the :default boot. An unknown value is
+  # ignored so a typo in the environment can never crash boot.
+  module Modes
+    DEFAULT = :default
+    PLAN    = :plan
+    YOLO    = :yolo
+    ALL     = [DEFAULT, PLAN, YOLO].freeze
+
+    # Tool names allowed in plan mode. Pulled by string against Tool#name
+    # in the Registry — see Tools::Registry.enabled_tools. Keep this list
+    # in sync with the actual tool names registered in
+    # Tools::Registry.register_defaults!; the spec pins both sides.
+    READ_ONLY_TOOLS = %w[read grep glob webfetch websearch todowrite question shell_output skill].freeze
+
+    DESCRIPTIONS = {
+      DEFAULT => "all tools, approvals from config",
+      PLAN => "read-only tools only, no edits/shell/git",
+      YOLO => "all tools, approvals skipped"
+    }.freeze
+
+    class << self
+      def current
+        @current ||= boot_default
+      end
+
+      # Switches the active mode. Returns the new mode symbol. Raises on
+      # an unknown name so a typo in a slash command surfaces immediately
+      # rather than silently leaving the previous mode in place.
+      def set(name)
+        sym = name.to_s.downcase.to_sym
+        raise ArgumentError, "unknown mode: #{name.inspect} (valid: #{ALL.join(", ")})" unless ALL.include?(sym)
+
+        @current = sym
+      end
+
+      # Initial mode for a fresh process. Honours RUBINO_BOOT_MODE so an
+      # external supervisor can pin the mode across a restart without any
+      # on-disk state; an unset or unknown value falls back to DEFAULT.
+      def boot_default
+        raw = ENV.fetch("RUBINO_BOOT_MODE", nil)
+        return DEFAULT if raw.nil? || raw.strip.empty?
+
+        sym = raw.strip.downcase.to_sym
+        ALL.include?(sym) ? sym : DEFAULT
+      end
+
+      def reset!
+        @current = DEFAULT
+      end
+
+      def description(name = current)
+        DESCRIPTIONS[name.to_s.downcase.to_sym]
+      end
+
+      # Used by Tools::Registry.enabled_tools. Plan is the only mode that
+      # filters; default and yolo both pass everything through.
+      def allows_tool?(tool_name)
+        return true unless current == PLAN
+
+        READ_ONLY_TOOLS.include?(tool_name.to_s)
+      end
+
+      # Used by Security::ApprovalPolicy#decide. Yolo short-circuits to
+      # :allow before any pattern matching; plan never reaches the policy
+      # because the tools it would gate are already filtered out of the
+      # registry.
+      def skip_approvals?
+        current == YOLO
+      end
+    end
+  end
+end

data/lib/rubino/oauth/connection_repository.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require "securerandom"
+require "json"
+require "time"
+
+module Rubino
+  module OAuth
+    # Persistence for OAuth connections backed by the +oauth_connections+
+    # table. Tokens are encrypted on write and decrypted on read through
+    # {TokenEncryptor}, so every hash returned by this repository carries
+    # plaintext +:access_token+/+:refresh_token+ alongside parsed +:scopes+
+    # (Array) and +:metadata+ (Hash) — callers never deal with ciphertext or
+    # raw JSON columns.
+    #
+    # {#upsert} is keyed on +(provider, account_id)+: re-authenticating the
+    # same provider account updates the existing row in place (preserving its
+    # +id+ and +created_at+) rather than duplicating.
+    class ConnectionRepository
+      def initialize(db: nil, encryptor: nil)
+        @db = db || Rubino.database.db
+        @encryptor = encryptor || TokenEncryptor.from_env
+      end
+
+      # Insert or update a connection identified by +(provider, account_id)+.
+      # Tokens are encrypted before they hit the database.
+      #
+      # @return [Hash] the freshly-decrypted row as returned by {#find}:
+      #   includes all schema columns plus plaintext +:access_token+ and
+      #   +:refresh_token+, +:scopes+ (Array<String>) and +:metadata+ (Hash).
+      #   The +:access_token+/+:refresh_token+ values are sensitive — never
+      #   log them.
+      def upsert(provider:, account_id:, access_token:, account_email: nil, refresh_token: nil, expires_at: nil,
+                 scopes: [], metadata: {})
+        now = Time.now.utc.iso8601
+        existing = @db[:oauth_connections].where(provider: provider.to_s, account_id: account_id.to_s).first
+        id = existing ? existing[:id] : SecureRandom.uuid
+
+        attrs = {
+          id: id,
+          provider: provider.to_s,
+          account_id: account_id.to_s,
+          account_email: account_email,
+          access_token: @encryptor.encrypt(access_token),
+          refresh_token: @encryptor.encrypt(refresh_token),
+          expires_at: expires_at,
+          scopes_json: JSON.generate(scopes),
+          metadata_json: JSON.generate(metadata),
+          updated_at: now
+        }
+
+        if existing
+          @db[:oauth_connections].where(id: id).update(attrs)
+        else
+          @db[:oauth_connections].insert(attrs.merge(created_at: now))
+        end
+        find(id)
+      end
+
+      def find(id)
+        row = @db[:oauth_connections].where(id: id).first
+        decrypt(row)
+      end
+
+      def for_provider(provider)
+        @db[:oauth_connections].where(provider: provider.to_s).order(:created_at).map { |r| decrypt(r) }
+      end
+
+      def first_for_provider(provider)
+        decrypt(@db[:oauth_connections].where(provider: provider.to_s).order(:created_at).first)
+      end
+
+      def list
+        @db[:oauth_connections].order(:provider, :created_at).map { |r| decrypt(r) }
+      end
+
+      def destroy!(id)
+        @db[:oauth_connections].where(id: id).delete
+      end
+
+      private
+
+      def decrypt(row)
+        return nil unless row
+
+        row.merge(
+          access_token: @encryptor.decrypt(row[:access_token]),
+          refresh_token: @encryptor.decrypt(row[:refresh_token]),
+          scopes: JSON.parse(row[:scopes_json] || "[]"),
+          metadata: JSON.parse(row[:metadata_json] || "{}")
+        )
+      end
+    end
+  end
+end

data/lib/rubino/oauth/provider/github.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "json"
+
+module Rubino
+  module OAuth
+    class Provider
+      # GitHub OAuth 2.0 provider.
+      #
+      # Scopes are sent space-separated (GitHub's expected delimiter, inherited
+      # from {Provider#scope_separator}). When the authenticated user has set
+      # their primary email private, +/user+ returns +email: nil+; in that case
+      # we fall back to +/user/emails+ and pick the primary entry.
+      class Github < Provider
+        def self.id            = :github
+        def self.display_name  = "GitHub"
+        def self.site          = "https://github.com"
+        def self.authorize_path = "/login/oauth/authorize"
+        def self.token_path = "/login/oauth/access_token"
+        def self.default_scopes = %w[repo user:email]
+
+        API_BASE = "https://api.github.com"
+
+        # Revoke an access token by deleting the OAuth grant for our app.
+        # https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-token
+        # Authentication is the app's (client_id, client_secret) via Basic, not
+        # the user token — the token to revoke goes in the JSON body.
+        #
+        # @param access_token [String] user token to invalidate
+        # @return [Boolean] true on 204 (success), false otherwise.
+        def revoke(access_token)
+          conn = Faraday.new(url: API_BASE) do |f|
+            f.request :authorization, :basic, @client_id, @client_secret
+            f.headers["Accept"] = "application/vnd.github+json"
+            f.headers["Content-Type"] = "application/json"
+            f.headers["User-Agent"] = "rubino"
+          end
+          response = conn.delete("/applications/#{@client_id}/token", JSON.generate(access_token: access_token))
+          response.success?
+        end
+
+        def fetch_account_info(access_token)
+          conn = Faraday.new(url: API_BASE) do |f|
+            f.headers["Authorization"] = "Bearer #{access_token}"
+            f.headers["Accept"] = "application/vnd.github+json"
+            f.headers["User-Agent"] = "rubino"
+          end
+
+          user = JSON.parse(conn.get("/user").body)
+          email = user["email"] || fetch_primary_email(conn)
+
+          {
+            account_id: user["id"].to_s,
+            account_email: email,
+            metadata: { login: user["login"], name: user["name"] }
+          }
+        end
+
+        private
+
+        def fetch_primary_email(conn)
+          response = conn.get("/user/emails")
+          return nil unless response.success?
+
+          emails = JSON.parse(response.body)
+          primary = emails.find { |e| e["primary"] } || emails.first
+          primary && primary["email"]
+        rescue StandardError
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/rubino/oauth/provider/google.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "json"
+
+module Rubino
+  module OAuth
+    class Provider
+      # Google OAuth 2.0 / OpenID Connect provider.
+      #
+      # Account info comes from the OIDC +/v1/userinfo+ endpoint; +sub+ is used
+      # as the stable account_id. The authorize request injects
+      # +access_type=offline+ and +prompt=consent+ — without both, Google only
+      # returns a refresh_token on the user's very first consent and not on
+      # subsequent re-auths, which silently breaks token refresh.
+      class Google < Provider
+        def self.id            = :google
+        def self.display_name  = "Google"
+        def self.site          = "https://accounts.google.com"
+        def self.authorize_path = "/o/oauth2/v2/auth"
+        def self.token_path = "https://oauth2.googleapis.com/token"
+        def self.default_scopes = %w[openid email profile]
+
+        USERINFO_URL = "https://openidconnect.googleapis.com/v1/userinfo"
+        REVOKE_URL   = "https://oauth2.googleapis.com/revoke"
+
+        # Revoke an access or refresh token. Google's revoke endpoint accepts
+        # either; revoking a refresh token implicitly invalidates all access
+        # tokens derived from it, so callers should pass the refresh token when
+        # available.
+        # https://developers.google.com/identity/protocols/oauth2/web-server#tokenrevoke
+        #
+        # @param token [String] access or refresh token
+        # @return [Boolean] true on 200, false otherwise.
+        def revoke(token)
+          response = Faraday.post(REVOKE_URL, { token: token },
+                                  "Content-Type" => "application/x-www-form-urlencoded")
+          response.success?
+        end
+
+        def fetch_account_info(access_token)
+          response = Faraday.get(USERINFO_URL, nil, "Authorization" => "Bearer #{access_token}")
+          user = JSON.parse(response.body)
+
+          {
+            account_id: user["sub"],
+            account_email: user["email"],
+            metadata: { name: user["name"], picture: user["picture"], hd: user["hd"] }
+          }
+        end
+
+        def build_authorize_request(redirect_uri:, scopes: nil, extra: {})
+          super(redirect_uri: redirect_uri, scopes: scopes,
+                extra: { access_type: "offline", prompt: "consent" }.merge(extra))
+        end
+      end
+    end
+  end
+end